Google patches 9 Chrome bugs, pays more to top researchers
- 23 March, 2012 05:19
Google yesterday patched nine vulnerabilities in Chrome in the sixth security update to Chrome 17, the edition that launched Feb. 8.
Wednesday's update was the first since the Chrome security team issued a pair of quick fixes during the "Pwnium" hacking event held March 7-9 at the CanSecWest security conference.
Six of the nine bugs patched Wednesday were rated "high," the second-most dire ranking in Google's threat system. One was marked "medium," and the remaining two were labeled "low."
Google paid $5,500 in bounties to four researchers for reporting five bugs. The four other vulnerabilities were uncovered by members of Google's own security team or were too minor to be eligible for a bonus.
Three of the four researchers who reported flaws fixed in Chrome 17 yesterday have been recently recognized by Google.
Sergey Glazunov, who received a $2,000 bounty for submitting a bug described by Google as "cross-origin violation with 'magic iframe,'" was one of two $60,000 prize winners at Pwnium earlier this month.
Glazunov was the first to claim cash at Pwnium , the Chrome-only hacking challenge that Google created after it withdrew from the long-running Pwn2Own contest over objections about the latter's exploit reporting practices.
Two others, Arthur Gerkis and a researcher known as "miaubiz," received $1,000 and $2,000, respectively, for bugs that Google patched yesterday.
Gerkis and miaubiz were two of the three outside bug hunters who were given special $10,000 bonuses three weeks ago for what Google called "sustained, extraordinary" contributions to its vulnerability reporting program.
So far this year, Google has paid nearly $200,000 to outside researchers through its bug bounty and Pwnium programs.
Google will not be patching a Chrome bug revealed in "Pwn2Own," the other hacking contest that ran at CanSecWest.
At Pwn2Own, a team from the French security firm Vupen exploited Chrome by using a one-two punch of a bug in Flash Player -- which Google bundles with its browser -- and a Chrome "sandbox escape" vulnerability.
Because Pwn2Own sponsor HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program does not require researchers to disclose sandbox escape vulnerabilities, Google was not told how the Vupen team hacked Chrome.
Yesterday's update to Chrome 17 can be downloaded for Windows, Mac OS X and Linux from Google's website. Users running the browser will receive the new version automatically through its silent, in-the-background update service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com .
Read more about security in Computerworld's Security Topic Center.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Pwn2Own, Pwnium pay researchers $210K for browser bugs - Computerworld
- Chrome Releases: Stable Channel Update
- Chrome succumbs to Pwn2Own contest hack - Computerworld
- Google patches 14 Chrome bugs, pays record $47K in bounties and bonuses - Computerworld
- Google Chrome Blog: Pwnium: great exploits, fast patches
- Google Chrome - Get a fast new browser. For PC, Mac and Linux
- Gregg Keizer - Google+
- Computerworld Gregg Keizer News
- Gregg Keizer - Computerworld
- Security Topic Center - Computerworld
- How the Cloud Changes the Game for Line of Business Managers in Midsize Companies
- Moving to a Private Cloud? Infrastructure Really Matters!
- Simplifying Data Protection
- Oracle Optimized Solution for Enterprise Cloud Infrastructure
- ESG: Information Security, Virtualisation, and the Journey to the Cloud
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Spiceworks' free management software gets integrated MDM
BYOD and Beyond - Implementing a Unified Access Solution
The rise of BYOD programs is the single most radical shift in the economics of client computing for business since PCs invaded the workplace. Whether you are contemplating the creation of a BYOD program or currently trying to establish one, this fact cannot be overstated. Find out how to overcome these challenges.
In Control at Layer 2: A Tectonic Shift in Network Security
Network hacking and corporate espionage are on the rise and set to intensify. Information security risks remain commonplace, and most organisations need to increase vigilance. This paper has analyses the realistic threats to fibre optic Ethernet networks – both at the LAN and WAN level. Read now.
Best Practice in BYOD
The key trend affecting enterprise mobility today can be summarized in four letters: BYOD – Bring Your Own Device. As the number of end-users bringing devices into your organization grows, so does the need for an effective Enterprise Mobility Management (EMM) solution. Learn how to manage devices across multiple platforms all from a single, centralised and unified management console. Download for more!